ArcSight ThreatDetectorAutomate pattern discovery and rule creation.

Product HighlightsCan One Needle Penetrate Your Company’s Defenses?As IT environments evolve to become more complex, it becomes difficult for a small security team to determine if an event was triggered by normal system behavior or part of a coordinated attack. That is unless you have a threat detection solution in place that can intelligently sort events. Micro Focus has developed a threat detection solution that takes your machine log data and applies heuristic analysis to identify patterns of normal and abnormal behavior. The result: a

new level of monitoring that extends Security Information and Event Management (SIEM) so that patterns can be easily traced and monitored.

Discover Repeating Event PatternsMicro Focus® ArcSight ThreatDetector automat-ically identifies patterns of both suspicious and seemingly unsuspicious events, instantly uncov-ering zero-day worms, low and slow attacks, and root-kit attacks. In addition to identifying mali-cious event patterns, ArcSight ThreatDetector also helps you find misconfigurations of network devices, systems, and applications.

Data SheetSecurity

Highlights• Automate pattern discovery and intelligent

rule creation

• Reduce false positives and prioritize issues accurately

• Accelerate your security program with intelligent, automated rule creation

• Comprehensive data capture for malicious pattern identification

• One-click rule building for fingerprinting unique patterns

• Automated notification and guided/ automated response

• Periodic or on-demand scheduling

• Seamless integration with ArcSight Enterprise Security Manager (ESM) and ArcSight Express

Data SheetArcSight ThreatDetector

2

This optional package for the ArcSight SIEM solution is built on patented technology that leverages ArcSight SIEM capabilities for a comprehensive data capture, normalization, and categorization producing accurate and detailed pattern analysis.

When ArcSight ThreatDetector identifies re-peating event patterns it captures event detail information that can help analysts separate benign patterns from malicious ones.

The platform automatically creates new rules in ArcSight SIEM to identify these threats in the future. By feeding this intelligence back into ArcSight SIEM, you immediately add a new layer of relevance to your security monitoring program.

ArcSight ThreatDetector automatically spots low and slow brute force attacks which may otherwise avoid detection if they fail to trigger predefined thresholds—such as consecutive failed login attempts. It also identifies repeated

attacks even if the attack event behavior is out of sequence, as seen in more sophisticated scripted attacks (such as root-kits attacks).

Heuristic Analysis and Threat DetectionArcSight ThreatDetector uses heuristic analy-sis to identify benign and malicious repeating event patterns and creates rules for future real-time detection of zero-day, and low and slow attacks.

Key BenefitsWith ArcSight ThreatDetector, your team gets the advantage of consummate knowledge and greater responsiveness to zero-day and auto-mated attacks.

The powerful ArcSight ThreatDetector pat-tern identification engine looks for event pat-terns across any source data in the ArcSight SIEM platform and is capable of discovering repeating patterns across various parameters such as pairs of source and destination IP ad-dresses, event behavior, and event outcomes.

Without this analysis, the incremental behav-ior of derivative worms would otherwise be invisible. This is because IDSs only discover worms as defined by the signature. ArcSight ThreatDetector helps you avoid damaging consequences by identifying all events related to new worm variants, even if it has changed slightly to thwart detection.

Key FeaturesEarly Threat DetectionThere are hidden event patterns that can be found within millions of raw security events and alerts generated by devices within your IT environment. ArcSight Enterprise Security Manager (ESM) provides a broad classification of security data, thereby creating comprehen-sive pattern identification for these alerts. For example, ArcSight ThreatDetector can identify a new worm variant as a set of repeating, re-lated events. Captured event detail can show events following or preceding a known worm intrusion detection system (IDS) signature. The benefit of using our sophisticated cor-relation technique for threat detection is that it reduces false positives so that the security team can focus on incidents that are critical.

Sophisticated Pattern Recognition TechniquesArcSight ThreatDetector correlates events via our patented threat intelligence technology to find relationships that are not apparent to the human eye. By applying machine learning, it can discover subtle relationships and risks across your environment.

Profiles Good and Abnormal BehaviorAnother unique strength is the ability to profile activity and discover patterns in large collec-tions of events that have already occurred. Our activity-profiling engine can churn through events to find relationships that aren’t read-ily apparent to the human eye. This machine learning can discover subtle relationships and risks across many variables. It can profile good

3www.microfocus.com

and bad behavior so that if a user starts engag-ing in activities that are out of profile or risky, you can take action early.

Threat Detection in User Behavior PatternsArcSight ThreatDetector can be used to un-cover modern cyber crime. Our system de-tects sophisticated threats including zero-day outbreaks and fraud by correlating the “Who”, “What”, “Where”, and “Why” an activity is hap-pening. It includes correlating user roles and trends to determine who is violating policies and putting the business at risk.

Takes ActionArcSight ThreatDetector can proactively alert and notify you when suspicious or malicious ac-tivity has occurred in your environment. Alerts and notifications can be sent via email to esca-late issues to the security team so that a proper response can be deployed in a short timeframe.

Integration with ArcSight ESM Automated ResponseOnce patterns are known, and analysts deter-mine if the pattern represents innocuous traffic on a malicious attack, ArcSight ThreatDetector seamlessly integrates with the ArcSight SIEM solution robust correlation engine, enabling one-click rule building that automatically rec-ognizes and responds to recurring patterns. The response can range from a notification, a new case opening, or even an automated or guided response for using ArcSight Threat Response Manager. What does this mean for you? A shortened window of vulnerability and a better defense for your network.

Expanding Library of RisksArcSight ThreatDetector works by continually building a library of known suspicious event patterns that are unique to your network thereby allowing you to increasingly automate threat intelligence and security program. As a

result, ArcSight ThreatDetector users can re-duce time spent on analysis and instead focus on more proactive security measures.

Learn More Atwww.microfocus.com/arcsightesm

Figure 1. ArcSight ESM Console with ThreatDetector

Contact us at: www.microfocus.com

360-000136-001 | 4AA4-3193 | H | 04/18 | © 2018 Micro Focus. All rights reserved. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

“Due to the sophisticated collection and correlation capabilities of ArcSight ESM, we have an intelligent

system that makes sense of the thousands of events and log records we generate each day—helping us to quickly identify and respond to all of the security

incidents that matter.”

Information Security ManagerNetApp